Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Data of Honda Owners in North America Exposed Online

An Elasticsearch cluster containing information on Honda owners in North America was recently found to be accessible from the Internet without any authentication.

Discovered on December 11, 2019, by security researcher Bob Diachenko, the database was part of Honda North America infrastructure and it contained 976 million records.

An Elasticsearch cluster containing information on Honda owners in North America was recently found to be accessible from the Internet without any authentication.

Discovered on December 11, 2019, by security researcher Bob Diachenko, the database was part of Honda North America infrastructure and it contained 976 million records.

Of these, around 1 million records were found to include information about Honda owners and their vehicles, but the researcher said he was not able to confirm the exact number of unique customer records in the database.

The database stored names, contact details, and vehicle information, all of which could be accessed without a password. The company secured the server within hours after being notified, the researcher says.

Honda told the researcher that the leak involved a data logging and monitoring server for telematics services. The car maker also said that the estimated number of impacted customers was roughly 26,000.

“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII. […] The server on which the database resides was misconfigured on October 21, 2019,” Honda said.

The car maker also told Diachenko that no financial, credit card, or password information were present in the exposed database.

According to the security researcher, the database was exposed for over a week, meaning that malicious parties might have had time to copy the information, provided they discovered the exposure.

Advertisement. Scroll to continue reading.

“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future,” Honda said.

The database was first indexed by search engine BinaryEdge on December 4, but the researcher only discovered it on December 11. Honda’s security team in Japan was alerted the next day and the server was shut down by December 13, the researcher says.

Information stored in the database included full name of Honda owners, email address, phone number, mailing address, vehicle make and model, vehicle VIN, agreement ID, and other service information. Internal logs and maintenance records were also present on the server.

Malicious actors who might have had the chance to download the exposed data could use it in targeted phishing campaigns.

In July, an Elasticsearch database exposed data related to Honda’s internal network and computers, such as hostname, MAC address, internal IP, operating system version, installed patches, and more.

Related: Unprotected Database Exposes Details of Honda’s Internal Network

Related: Car Dealer Marketing Firm Exposed 198 Million Data Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...